13.6 C
Tuesday, September 26, 2017
Home Tags European countries

Tag: European countries

Turla uses social media and clever programming techniques to cover its tracks.
In the several years that the Dridex family has existed, there have been numerous unsuccessful attempts to block the botnetrsquo;s activity.

The ongoing evolution of the malware demonstrates that the cybercriminals are not about to bid farewell to their brainchild, which is providing them with a steady revenue stream.
According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world.

File antivirus detected a total of 174,989,956 unique malicious and potentially unwanted objects.
Old drugs donrsquo;t make money, but are better for patients and fight drug resistance.
Ransomware attack appears to be targeting institutions in several European countries.
Microsoft has been cautious about making its Surface product line available worldwide.
It tests devices in specific markets, sees how they do, and, if the response is good, ships them to those areas.The company appears to have have received a strong...
100+ companies from 28 countries represented amongst the finalists[London, 27 February 2017] The finalists for the European IT & Software Excellence Awards 2017 (www.iteawards.com) - the leading pan-European awards for ISVs, Solution Providers and Systems Integrators and their vendor and distributor partners – were announced today by IT Europa.

A total of 61 solution providers, 39 ISVs and 51 suppliers from 28 European countries have made the finals.

The winners will be announced at the... Source: RealWire
New compliance mark establishes data protection standards and practices to protect customer data and comply with European lawBrussels, 14th February 2017.

The Cloud Infrastructure Services Providers in Europe (CISPE), a coalition of cloud computing lea...

DDoS attacks in Q4 2016

2016 was the year of Distributed Denial of Service (DDoS) with major disruptions in terms of technology, attack scale and impact on our daily life.
In fact, the year ended with massive DDoS attacks unseen before, leveraging Mirai botnet technology.

Expensive free apps

This post is the result of collaboration between Elevenpaths (Telefónica Cyber Security Unit) and Kaspersky Lab.

Both companies have used their own expertise, researchers and tools, such as Tacyt (an innovative tool for the monitoring and analysis of mobile threats) and GReAT’s internal tools and resources.
Big Brother and Google Play Fraudulent apps trying to send Premium SMS messages or trying to call to high rate phone numbers are not something new.

Actually, it is easy to find them specially in Spain, Russia and some other european countries. Of course, it is much more interesting to talk about how certain groups bypass detection mechanisms such as those used by Google Play, since this has become difficult to achieve in the past few years. Some years ago it was pretty easy to upload a dialer (or other similar fraudulent app) to Google Play [1] [2], but new detection mechanisms made attacker to focus on alternative markets, at least for a period of time. Recently, we have found a Spanish group that successfully uploaded a non-official Big Brother (Gran Hermano) TV show app, which is one of the most popular TV shows in Spain even being on the air for 16 years now. [Analysis:cdd254ee6310331a82e96f32901c67c74ae12425] This was not a very sophisticated app, but they were able to upload it into Google Play using an old trick.

First, they uploaded a clean an innocuous version that of course passed or the security controls from Google Play.

Then, some days later, a new version was uploaded with a major features update, including subscription to paying services.

This trick was extremely simple but successful, since the app was in the Google Play for around two months (from mid September to mid November 2015). It seems this was not the first time this group tried to upload a Big Brother-like app. We have detected (via Tacyt [3]) at least another 4 similar applications that, regarding some particular logging messages we found in the code, could have the same origin: com.granhermano.gh16_1; from 2015-09-15 to 2015-09-22;com.granhermano162; from 2015-09-29 to 2015-11-14;com.granhermanodieciseis; from 2015-09-29 to 2015-11-11com.granh.gh16_3; from 2015-10-05 to 2015-10-15;com.hisusdk; from 2015-09-16 to 2015-11-14 (the one analyzed). As we said before, this group was found to be using a specific string “caca” as a logging tag, which is not something usual: The word “caca” is a colloquial word in Spanish referring to an excrement (very similar to the word “poo” in English). We could find it in certain testing code, referring to lines of code that should be removed later, but it is unusual to find it in such similar applications and used in the same way.

Because of that, it makes sense to think that those applications were developed by the same group. Other strings and function names used in the code make us conclude that those applications could be developer by native Spanish speakers. This app is using several commercial third party services such as Parse.com for the first network communication.

This first API call is used in order to get all the information necessary to run further actions (URLs, authentication, etc). {“results”:[{“Funcionamiento”:” Ahora la única pestaña importante es la de VOT.”,”action1″:”http://tempuri.org/getPinCode”,”action2″:”http://tempuri.org/crearSubscripcion”,”activa”:”si”,”createdAt”:”2015-09-08T16:17:24.550Z”,”estado”:true,”id_categoria”:”2608″,”id_subscripcion”:”400″,”metodo1″:”getPinCode”,”metodo2″:”crearSubscripcion”,”namespace”:”http://tempuri.org/”,”nombreApp”:”GH16 – españa”,”numero_corto”:”795059″,”numero_sms”:”+34911067088″,”objectId”:”tNREzkEocZ”,”password”:”15xw7v7u”,”updatedAt”:”2015-11-27T10:28:00.406Z”,”url”:”http://ws.alertas.aplicacionesmonsan.net/WebSubscription.asmx?WSDL”,”urlcode”:”http://spamea.me/getcode.php?code=”,”usuario”:”yourmob”,”vot”:true}]} As we can see above, it references to different URLs: spamea.me is service that no longer exists at the time of writing, but that used to be hosted on, which seems a hosting service shared with many other websites. ws.alertas.aplicacionesmonsan.net is legitimate service focused on mobile monetization, including SMS premium and direct carrier billing.
It is used from the app in order to subscribe the user to a service called “yourmob.com”. Of course, using paying services is not malicious itself, since it is legitimate that companies could bill for their services, but user should be clearly noticed about service cost and conditions beforehand. Despite we found a reference to “Terms and Conditions” (in Spanish) poiting to the website servimob.com , we could not verify that this information is shown to users and, anyway, users don’t have the opportunity to reject the agreement and don’t be subscribed. Presence outside Google Play It make sense that if a group have included this kind of app in Google Play, They were going to try something similar using other app sources (thanks to Facundo J.
Sánchez that spotted this). Analysis: 9b47070e65f81d253c2452edc5a0eb9cd17447f4 This app worked slightly different.
It uses other 3rd party services and it sends Premium SMSs for monetization.

They got from the server what number to use, for how many seconds and if the screen should be on or off. We found that they used very similar words for comments and method names (most of them in Spanish, including “caca”), same topic (Big Brother), references to “yourmob” and much more, so definitely we can link it with the Spanish group mentioned before. One of the webservices used by this application ( exposed a control panel showing information about people using this app: As you probably know, groups developing this kind of apps usually reuse their servers and supporting infrastructure for multiple apps, for example this one: https://www.virustotal.com/en-gb/file/cc2895442fce0145731b8e448d57e343d17ca0d4491b7fd452e6b9aaa4c2508a/analysis/ It was using this vps as well http://vps237553.ovh.net.
Some of the panels and services provided by the VPS were located here: http://vps237553.ovh.net/nexmo/getcode.php?code=http://vps237553.ovh.net/polonia/autodirect1.phphttp://vps237553.ovh.net/polonia/autodirect2.phphttp://vps237553.ovh.net/polonia/guardar_instalacion.phphttp://vps237553.ovh.net/polonia/guardar_numero.phphttp://vps237553.ovh.net/polonia/guardar_numero.php?androidID=http://vps237553.ovh.net/polonia/guardar_sms.phphttp://vps237553.ovh.net/polonia/push_recibido.phphttp://vps237553.ovh.net/polonia/panel.phphttp://vps237553.ovh.net/nexmo/ As we can see in their control panel, they have been quite successful in terms of spread, since there are registered phones from many different countries (Spain, Holland, Poland, etc). In addition, an iterative search on terms such as IP addresses, unique paths, etc, has shown that other apps could be using the same supporting infrastructure that was shown above, including the following IP addresses and domain names: In particular, was pointed by different domain names in the past months: kongwholesaler.tk (2016-05-22) acc-facebook.com (2016-04-11) h-instagram.com (2016-04-11) msg-vk.com (2016-04-11) msg-google.ru (2016-04-10) msg-mail.ru (2016-04-10) iwantbitcoins.xyz (2015-11-04) These domains have probably been used for fraudulent initiatives such as phishing attacks, since they are very similar to well-known and legitimate services. Something that kept our attention was that “vps237553.ovh.net”, used from a sample and resolving to, was also used at some point (June 2016 regarding our passive DNS) by “servimob.com” domain (same domain referenced in the app from Google Play). Back to Google Play As you can imagine, they tried again to upload a new app to Google Play, following a similar philosophy and techniques that we have seen before. e49faf379b827ee8d3a777e69f3f9bd3e559ba0311a131c23e6427dd7e0e47280dd8f421febdc4f7 These apps were available in Google Play for a few weeks in September 2016, using similar techniques, especially to those applications that we found outside Google Play. Conclusions This Spanish group has been quite successful on uploading this kind of apps in Google Play, using interesting topics such as the Big Brother TV show.
Spain and Poland have been two countries traditionally targeted by SMS scams and similar malware. However, we have never seen in the past few years any group that was able to upload apps to legitimate markets in such an easy way. Perhaps the key point is that they try to be close enough to the border between a legitimate business and a malicious one.
Group-IB says both attacks were likely carried out by Cobalt group using malware "ATM spitter." Cybersecurity firm Group-IB has linked the July Taiwan ATM cyber heist to the ATM hacking spree in Europe last year, claiming the two were carried out by the same hacking group, dubbed Cobalt. Reuters reports that Group-IB’s conclusion is based on the fact that the hack technique used in both incidents match. A group of 22 foreign nationals are alleged to be behind the First Commercial Bank ATM hack in Taiwan, of which three Eastern Europeans are in custody. Most of the stolen money was recovered and Taiwan authorities believe the bank network was breached at a London branch. According to a Group-IB report, the hackers used malware “ATM spitter” in the Taiwan attack as well as in similar hacks carried out in Britain, Russia, Poland, Spain, Bulgaria, and many other European countries, Reuters adds. Click here for the full story. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights
Enlarge / (L-R) Defense Undersecretary for Intelligence Marcell Lettre II, Director of National Intelligence James Clapper, and United States Cyber Command and National Security Agency Director Admiral Michael Rogers testify before the Senate Armed Services Committee.Chip Somodevilla / Getty Images reader comments 38 Share this story In a hearing before the Senate Armed Services Committee—a regularly scheduled unclassified briefing on "foreign cyber threats"—Director of National Intelligence James Clapper did very little to preview a report on Russian "cyber" activities around the US elections scheduled to be delivered to President Barack Obama this week.

Clapper did say that an unclassified version of the report would be released to the public early next week. However, that version is unlikely to contain any new specific evidence to support the intelligence community's assertions that the Russian government directed hacking and propaganda operations against Hillary Clinton and the Democratic Party in an attempt to deliberately affect the outcome of the US election. "We plan to brief the Congress and release an unclassified version of this report early next week, with due deference to the protection of highly fragile sources and methods," Clapper said in his opening statement. "We have invested billions, and we put people's lives at risk to get such information.
If we were to expose how we got this, we could just kiss that off. We're going to be as forthcoming as possible." Clapper and National Security Agency Director Admiral Michael Rogers both asserted, however, that the intelligence community was even more certain of Putin's involvement in the meddling in the US election than they were when the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence issued a joint statement in October. "We stand more resolutely now on that statement than we did on the seventh of October," Clapper said. While Clapper said it was almost certain that no votes had been changed by hacking, he noted there was no way to determine the full impact of Russia's information campaign on voters' opinions—"We in the Intelligence Community can't tally that." Much of what Clapper and Rogers said in their testimony echoes data already available from commercial security firms and other sources, as well as the somewhat limited data shared in the DHS-FBI "joint analysis report" (JAR) issued last week.

The report to be delivered to the president will, however, take in the whole of the alleged Russian campaign to influence the election, including the use of Russian state-funded media, social media, and "fake news" to spread disinformation.

The report will likely also include specific data on how the intelligence community linked Putin to the sharing of breached data from the Democratic National Committee and others (including Clinton Campaign Chairman John Podesta) to Wikileaks. In response to a question from the committee on the role of "fake news" disinformation in Russia's election meddling, Clapper said, "Without getting too far in front of the headlights of [the upcoming report], this was a multifaceted campaign—the hacking was only one part of it.
It also entailed classical propaganda, disinformation, and fake news." Clapper acknowledged that the same sort of campaign was ongoing in Europe now, around the upcoming French and German elections. That mirrors forensic evidence that Ars has examined recently in our attempts to connect the dots between operations from the organization behind the "Fancy Bear" group of malware, tools and infrastructure used in the DNC, Democratic Congressional Campaign Committee, and Clinton campaign breaches, and the theft of data from the World Anti-Doping Agency (WADA).
Servers used in connection with some of the spear phishing attacks connected to these breaches have been also used to target French Gmail users recently. (More details of that activity and how it is connected to the information campaign against the Democrats in the US elections are being pulled together for an upcoming Ars report.) Many of the senators from both parties on the Armed Services Committee, including Sen. John McCain (R-Ariz.) and Senator Lindsey Graham (R-S.C.) threw barbs at President-elect Donald Trump for his treatment of the intelligence community and his posts apparently professing greater trust in Julian Assange than US intelligence.

Citing Assange as "the one responsible for publishing the names of people who worked for us" in Iraq and Afghanistan plus the subject of a criminal investigation, McCain asked Clapper and Rogers, "Do you think there's any credibility that we should attach to his statements?" Clapper replied frankly: "Not in my view." For his part, Donald Trump tried to back away from the appearance of endorsing Assange via Twitter: "The dishonest media likes saying that I am in Agreement with Julian Assange - wrong.
I simply state what he states, it is for the people.... to make up their own minds as to the truth.

The media lies to make it look like I am against "Intelligence" when in fact I am a big fan!" Graham was particularly angry at Trump for being overly critical and disrespectful of the intelligence community. "You don't want to undermine those people serving in this arena," he said. He also suggested Obama's sanctions against Russia amounted to "throwing pebbles" when it was time to "throw rocks," because the active campaign to interfere in the US election went far beyond passive espionage. Graham noted that Republicans should be concerned that someone else might do the same thing to them if Trump were to take on China or Iran, and the response to the Russian information operations was an opportunity to deter future interference in the democratic process. “It’s not like we’re so much better at cyber security than Democrats,” he said. Another area Graham focused on was the US Information Agency, the government operator of Radio Free Europe, and other US foreign information operations. He suggested this agency was too archaic in its focus on broadcasting.

Clapper agreed, saying in his closing remarks that what was needed to counter information warfare was a "USIA on steroids"—a new information organization that could take on misinformation from adversaries more aggressively in social media and other places online as well as in the broadcast realm. Russia has used the state-funded RT broadcast service and other outlets to more aggressively spread its version of the global narrative over the past few years.

The country has reportedly even used "troll factories" to create confusion and support nationalist populism in several European countries.